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Abstract. Polynomial functions on the group of units Q n of the ring Z2" are 
considered. A finite set of reduced polynomials IZVn in 1\x\ that induces the 
polynomial functions on Q n is determined. Each polynomial function on Q n 
is induced by a unique reduced polynomial - the reduction being made using 
a suitable ideal in Z[x]. The set of reduced polynomials forms a multiplicative 
2-group. The obtained results are used to efficiently construct families of 
exponential cardinality of, so called, huge fc-ary quasigroups, which are useful 
in the design of various types of cryptographic primitives. Along the way 
we provide a new (and simpler) proof of a result of Rivest characterizing the 
permutational polynomials on Z2" . 



1. Introduction 

The need for new kinds of computational methods and devices is growing as a 
result of the possibility of their application in the new developing hclds in mathe- 
matics and computer science, in particular cryptography and coding theory. Finite 
fields and integer quotient rings are traditionally used for such computational needs. 
The integer quotient rings are somewhat disadvantaged due to the fact that their 
nonzero multiplicative structure does not form a group (except when they happen 
to be fields). The structure of the ring of polynomials over rings, and especially over 
integer quotient rings, has been under investigation for almost a century. Let us 
mention here chronologically some of the authors: Kempner (1921) [TT], Nobauer 
(1965) [14], Keller and Olson (1968) [9], Mullen and Stevens (1984) [13], Rivest 
(2001) QI], Bandini (2002) [I], Zhang (2004) [19]. We emphasize that the paper 
of Rivest [16] is closest to our work and his results can be inferred from ours (see 
Section [5]). 

We consider its group of units Q n in and define a finite set TZV n of reduced 
polynomials over Z that induce the set VJ- n of all polynomial functions that keep 
Q n invariant. The set lZV n is a finite 2-group under polynomial multiplication 
modulo functional equivalence. Exactly half of the reduced polynomials induce 
permutations on Q n . 

The reduced polynomials are obtained by using an ideal /„ in Z[x] such that 
every polynomial in /„ induces the constant function on Q n and two polynomials 
are functionally equivalent over Q n if and only if they are equivalent with respect 
to the ideal /„. 
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By using our reduction algorithms we are able to give efficient answers to several 
problems. We show that there are efficient algorithms (polynomial complexity with 
respect to the input parameters) for the following problems: 

(i) given a polynomial inducing a polynomial function on Q n , determine the 
reduced polynomial inducing the same polynomial function, 

(ii) given a polynomial inducing a permutation on Q„, determine the reduced 
polynomial inducing the inverse permutation. 

(iii) given a polynomial inducing a polynomial function on Q n , determine the 
reduced polynomial for the multiplicative inverse. 

In the last part of the paper we use the obtained results to construct families 
of quasigroups of large cardinality. We define the concept of huge quasigroups as 
quasigroups of large order that can be handled effectively, in the sense that the 
multiplication in the quasigroup, as well as in its adjoint operations, can be effec- 
tively realized (polynomial complexity with respect of logn, where n is the order of 
the quasigroup). The need for permutations and quasigroups of large (huge) orders 
such as 2 16 , 2 32 , 2 64 , 2 128 , that can be easily handled is associated with the de- 
velopment of the modern massively produced 32-bit and 64-bit processors. Strong 
links between modern cryptography and quasigroups (equivalently, Latin squares) 
have been observed by Shannon |18j more than 50 years ago. Subsequently, the 
cryptographic potential of quasigroups in the design of different types of crypto- 
graphic primitives has been addressed in numerous works. Authentication schemas 
have been proposed by Denes and Keedwell (1992) [5], secret sharing schemes by 
Cooper, Donovan and Seberry (1994) [4], a version of popular DES block cipher by 
using Latin squares by Carter, Dawson, and Nielsen (1995) [3], different proposals 
for use in the design of cryptographic hash functions by several authors |17[ [7J , a 
hardware stream cipher by Gligoroski, Markovski, Kocarev and Gusev (2005) |S]- 

We want to emphasize that the results in this work concerning effective con- 
structions of large quasigroups, besides in cryptography, can also be of interest in 
other areas (such as coding theory, design theory, ...). 

1.1. Organization of the content. Well known background on the structure of 
the group Q n and on Hensel lifting (useful to extract inverses in Q n ) is presented in 
Section [2] Full description of the polynomials in 1\x\ that induce transformations 
on Q n (and the finite set of reduced polynmials that represent them) is provided 
in Section [31 while the polynomials in Z[x] that induce permutations on Q n are 
characterized in Section [4] Section [5] is a brief interlude in which we use our results 
to present a new proof or a result of Rivest |16] providing a characterization of 
polynomials in Z[cc] that induce permutations on Z2«. The group of reduced poly- 
nomials under multiplication is briefly considered in Section [6l Section [7] provides 
polynomial algorithms that handle construction of reduced polynomials related to 
interpolation, functional inversion, and multiplicative inversion. Finally, applica- 
tions to effective constructions of large fc-ary quasigroups are provided in Section |U 

2. The group (Q n , •) 

The integer quotient ring (Z&, +, •), where k is a positive integer, is a well known 
mathematical structure, where the addition and multiplication are interpreted mod- 
ulo k. This ring is associative and commutative ring with a unit element 1. Here 
we are concerned solely with the case k = 2™. The set Q n = {1,3,. . .,2™ — 1} is a 
subgroup of the multiplicative semigroup (Z2«, •). Indeed, Q n is precisely the group 
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of units of . Note that if n = 1 , then Q n is trivial, and if n — 2 , Q2 = Z 2 = (— 1) • 
The structure of the abelian group Q n , for n > 3, is given by the following result. 

Proposition 1. Let n > 3. Then (Q n , •) = Z2 x Z 2 *-2 . 

Moreover, Q n is generated by —I and 5, the order of -1 is 2, and the order of 5 
is2 n - 2 . 

Proof. The subset F n C Q n of numbers of the form 4fc + 1 forms a subgroup of 
index 2 in Q„. Since 5 £ F„, we have 5 =1 in Q„. On the other hand, 




The highest power of 2 dividing i\ is \i/2\ + [i/4\ H < i/2 + z/4 H = i. Thus 

each of the terms ( 2 . )2 21 is divisible by 2"~ 3+2! ~(' 1 ~ 1 ) = 2"~ 2+l and we have 

(1) 5 2 "~ 3 = 1 + 2"~ 3 • 2 2 ee 2"- 1 + 1 (mod 2"). 

Therefore 5 2 ™ ^ 1 in Q n , the order of 5 is 2 n_2 , and F n is a cyclic group generated 
by 5. 

The order of -1 is clearly 2. Since -1 is not in F n (it has the form 4k + 3) we 
have that Q n = (—1) x (5) = Z 2 x Z 2 n.-2. □ 

Corollary 1. Let n > 3. The multiplicative order of every a € Q n divides 2"~ 2 . 

Given a large value of n and a £ Q n , can we effectively find the inverse a -1 ? Note 
that if we express a as a = (—1)' • 5 J , for some i £ {0, 1}, j £ {0, 1, ... , 2 n ~ 2 — 1}, 
then its inverse in Q n is given by 

a- 1 = (-If ■ 5 2 "~ 2 - j . 

However, this requires representing a in the form a = (— l) 1 ■ 5 J , for some i £ {0, 1}. 
It is fairly easy to decide if i = or i = 1. Indeed, i = when a is of the form 
4fe + 1 and i = - 1 otherwise. However, to determine j we need to solve a discrete 
logarithm problem of the type 5 X = a (mod 2"). This apparent difficulty can be 
sidestepped by calculating the inverse by applying Hensel lifting |15j (also known 
as Newton-Hcnscl lifting [10j). 

The basic idea is to use binary representation of the integers modulo 2". Given 
r £ Z2», its binary representation is r n _ir„_2 • • • r\ro, where rj £ {0,1} is the 
(j + 1)— th bit of r. In the same way, the binary representation of a variable x 
is given by x n -ix n -2 ■ ■ ■ xi%o, where Xj are bit variables. Now, let r be a root of 
the polynomial P(x). Then P{x) = (x — r)S(x) for some polynomial S(x). The 
equality P{x) = (x — r)S(x) in the ring Z 2 fc, where k < n, is given by 

P(x k ^x . . . xixo) = (xk-i ■ ■ ■ xix Q - r fe _i . . . rir )S{x k ^i . . . xix ). 

The last equality shows that if we want to find the k least significant bits of a root 
r of P(x), we need to consider the equation P(x) = in the ring Z 2 fc. 

One variant of the Hensel lifting algorithm for finding a root of P(x) is the fol- 
lowing: 



Step 1: Determine a bit ro such that P(ro) — in Z 2 . 
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This can be accomplished simply by checking if P(0) = or P(l) = (or both!) 
in Z2. 

Let the bits r , . . . , r^i be already chosen in Step 1 - Step k. 

Step k + 1: Determine a bit r^ such that P(rkTk-i . . . r ) = in Z 2 fc+i . 

Since the bits ro, . . . , r^-i are known, this can be accomplished by checking if 
P(0rfc_i . . . r ) = or P(lrk-i ■ ■ ■ r ) = (or both) in Z 2 f=+i . 

The algorithm stops after Step n. 

In order to find all roots of a polynomial one has to follow all the branching points 
of the algorithm (whenever both and 1 are good choices one has to follow both 
choices, and whenever neither nor 1 are good choices one discards that particular 
branch of the search). 

Given a 6 Q, the root of the polynomial ax — 1 is the inverse of a. In this case, 
the above algorithm has polynomial complexity in n, since there is only one root 
and the above algorithm will produce the unique correct bit of a -1 at each step 
(there is no branching). 

3. Polynomial functions on Q n 

Every polynomial P(x) from the polynomial ring 1\x] induces a polynomial 
function p : Z 2 " — > 1>i^ by the evaluation map (taken modulo 2"). We are interested 
here in polynomial functions on Q n , i.e., polynomial functions p : Q n — > Q n induced 
by polynomials P(x) in Z[x] such that p(Q n ) C Q n . Denote by V n the set of 
polynomials in Z[x] that induce polynomial function on Q n and denote by VT n 
the set of corresponding polynomial functions on Q n . We implicitly assume that 
n > 2 (as was already mentioned, Q\ is trivial). 

We first determine precisely the polynomials over Z that induce polynomial 
functions on Q n , i.e., we determine V n . 

Proposition 2. Let P{x) = a + a\X + • • • + adX d be a polynomial in 7L\x\. Then 
P{x) is in V n (i.e. P(x) induces a polynomial function on Q n ) if and only if the 

sum of the coefficients a + a\ H had is odd, which, in turn, is equivalent to the 

condition that p(l) is odd. 

Proof. For every odd number a, all the powers a 1 , i = 0, . . . , d are also odd. Thus 
the parity of p(a) = a + a\a H h ada d is equal to the parity of ao H h ad- □ 

The finite set VT n of polynomial functions on Q n is induced by the infinite set 
of polynomials in V n . We will determine a finite set of polynomials, that induce all 
polynomial functions in VT n - In order to define this set, we need some preliminary 
definitions. 

For an integer i, define ti = [i/2\ + \i/^\ + + ■ • ■ , i.e., ti is the largest 

integer I such that 2 e divides i\. Let d n be the largest integer i such that n — i — ti 
is positive. 

Definition 1. A polynomial P(x) = a + a\x + • • • + adx d in V n is called reduced 
if 
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(i) the degree of P(x) is no higher than d„. 

(ii) < a t < 2 n ~ % - u - 1, for i = 0, . . . , d n . 

Denote the set of reduced polynomials in V n by TZV n - 

Proposition 3. The number of reduced polynomials in 1ZV n is 

\nv n \ = 2( 2n - d ")( d "+ 1 )/ 2 - 1 -5:feo*i. 

Proof. The number of polynomial of degree at most d n with restrictions on the 
coefficients given by (ii) is 

2^iSo n-i-U _ 2 n(d„ + l)-(i„(d„ + l)/2-Ef"o*i 

Exactly half of such polynomials also satisfies the condition required by Proposi- 
tion [5] on the parity of the sum of the coefficients. Indeed, we can match up any 
polynomial P(x) = ao + a±x + • • • + adX d in that satisfies the conditions (i) and (ii) 
with the polynomial P(x) + I if ao is even and with P(x) — 1 if ao is odd. In both 
cases, the obtained polynomial also satisfies the conditions (i) and (ii). In such a 
matching exactly one polynomial in each pair has odd sum of coefficients. □ 

Two polynomials P(x) and T(x) in V n are said to be functionally equivalent 
over Q n if they induce the same polynomial function on Q„ . In that case we write 
P(x) « T(x). Clearly, w is an equivalence relation on P n . 

The polynomials P{x) and T(x) are functionally equivalent over Q n if and only 
if the difference P(x) — T(x) induces the constant function on Q n . With this in 
mind, we define now a finite set of polynomials over Z that induce the constant 
function on Q n . 

Definition 2. For i = 0, . . . , d n , define the polynomial 

P n ,i(x) = 2 n -*- u (x + l)(x + 3) . . . (a: + 2i - 1) 

of degree i. When i = the understanding is that P n> o = 2". Define also the 
polynomial 

P nAn+1 {x) = {x+ l)(x + 3) . . . (x + 2dn + 1) 

of degree d n + I. 

Denote the ideal generated by P ny i(x), i = 0, . . . , d n + 1, in Z[x] by /„. Thus 

(d n + l 

In = \ Si{x)P n<i {x) | Si(x) e Z[x], i = 0,...,d n + l 

Proposition 4. Every polynomial in I n induces the constant function on Q n . 

Proof. What we need to prove is that, for every x G Q n 

Pn ^(x) = (mod 2"). 

This is clear since, for any x £ Q n the product (x + l)(x + 3) . . . (x + 2% — 1) is a 
product of i consecutive even numbers and it is therefore divisible by 2 z i\, implying 
that it is divisible by 2 l+ti . For i = 0,. . . ,d n we then have that p n: i(x) is divisible 
by 2™-** • 2 l+u =2 n . For i = d n + 1, we have that n < i + U, and therefore 2" 
divides Pn ,i(x) in this case as well. □ 



We state now the two main results of this section. 
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Theorem 1. Two polynomials P{x) and T(x) in V n are functionally equivalent 
over Q n if and only if P(x) — T(x) is a member of I n - 

Theorem 2. Every polynomial function in VJ- n is induced by a unique reduced 
polynomial in lZV n . 

We will prove the Theorem [T] and Theorem [2] through a series of lemmas and 
propositions. Along the way we provide some additional information (for instance 
Proposition |6] establishes a linear upper bound on the degree of a reduced poly- 
nomial). While some other approaches are certainly possible, we chose to follow a 
simple constructive route, since we are interested in algorithmic/complexity issues 
(see Section [7]). 

Proof of Theorem^ sufficiency. If P{x) — T{x) is in /„ then, by Proposition 21 
P(x) — T(x) induces the constant function on Q n , implying that P{x) and Q{x) 
are functionally equivalent over Q n . □ 

Proposition 5. Every polynomial function in VTn is induced by a reduced poly- 
nomial in TZV n - 

Moreover, for every polynomial P{x) in 1{x] there exists a polynomial Sp(x) in 
I n such that P(x) — Sp(x) is reduced and functionally equivalent to P{x) over Q n . 

Proof. Let p{x) be a polynomial function in ~PT n induced by the polynomial P{x). 

If the degree d of P{x) is higher than d n we may replace P{x) by P(x) — 
a ( ix d ~ dn ~ 1 P n d, n +i, where is the coefficient of x d in P(x). The polynomial 
P(x) — adX d ^ drl ^ 1 P n ,dn+i has degree smaller than d and is functionally equivalent 
to P(x). We may continue this until we obtain a polynomial that is functionally 
equivalent to P(x) and has degree no higher than d n . 

We assume now that P(x) has degree no higher than d n . If P{x) is reduced we 
are done. Otherwise, let i be the highest degree of a coefficient ai of x % that does 
not satisfy the requirement < < 2™~' i ~ ti — 1. If q is the quotient obtained by 
dividing ai by 2 n ~ l ~ li then P(x) « P{x) — qP n ,i, and the coefficient at degree i in 
P(x) — qP n ,i is in the correct range 0, . . . , 2"~ l ~ fi — 1. 

We repeat this procedure with the next highest degree that has a coefficient 
out of range until we reach a reduced polynomial that is functionally equivalent to 
P(x). □ 

Example 1. Let n = 5. We have + t = 0, 1 + h = 1, 2 + 1 2 = 3, 3 + f 3 = 4 and 
4 + 1^ = 7. Therefore d§ = 3, and every reduced polynomial has the form 

R(x) = ao + aix + a2X 2 + a3X 3 , 

where < ao < 31, < a\ < 15, < a 2 < 3 and < 03 < 1. The polynomials 
P5,i( x )> i = 0, 1, 2, 3, 4 are given by 

P 5 ,o(x) = 2 5 = 32, 

P 5 ,x(x) = 2 i (x + 1) = 16 + 16x, 

P 5 , 2 (x) = 2 2 (x + l)(x + 3) = 12 + 16a; + 4a; 2 , 

P 5 , 3 {x) = 2(x + l)(x + 3){x + 5) = 30 + 14a- + 18a; 2 + 2x 3 

P 5 ,4(x) = {x + l)(x + 3)(x + 5){x + 7) = 9 + 16a; + 22a; 2 + 16a; 3 + a; 4 . 



POLYNOMIAL FUNCTIONS ON THE UNITS OF Z 2 n 



7 



Then, for the polynomial P{x) = 3x 5 + 1, we have 
P{x) = 1 + 3x 5 w (1 + 3x 5 ) - 3xP 5 , 4 (a;) 

w 1 + 5x + 16x 2 + 30a; 3 + 16x 4 w (1 + 5x + 16a; 2 + 30x 3 + 16a; 4 ) - 16P 5 , 4 (a;) 
w 17 + 5a; + 16x 2 + 30a; 3 w (17 + 5x + 16x 2 + 30a; 3 ) - 15P 5;3 (a:) 
w 15 + 19a; + 2a; 2 w (15 + 19a; + 2a; 2 ) - P 5 ,i(x) 
w 31 + 3.x + 2x 2 . 

The calculations are done modulo 32 all the time. This is equivalent to using 
P5,o = 32 to make reductions. 

Proposition 6. Every polynomial function in VT n is induced by a polynomial of 
degree smaller than (n + 1 + [log 2 tt-J ) / 2 . 

Proof. We need to prove that d n < (n + 1 + [log 2 n\)/2. 

First note that i — [\og 2 i\ <U. Indeed U = \i/2\ + [z/4j + . . . . Only the 

first [log 2 i\ terms of the series are possibly positive. Thus U = X^fe=i 21 "' L*/2 fe J > 
E Liog 2 ij ( i/2k _ i) = i (i _ W ±_ TT ) L i og2 ij > i (i _ ^.i^) _ L i og2 ij = i _ 2 - 

L!og 2 » J • 

Assume that n > i > " +1+L i og2 " J . Then 



i + U>2i-l - [log 2 i\ > 2- 



1 + [log 2 nj 



1 - [log 2 nj = n. 



Since d n is the largest integer i such that n — i — U is positive, we must have 

dn < " +1+L i° g2 " J . □ 



Lemma 1. Lef M m fee i/ie (to + 1) x (to + 1) Vandermonde matrix 

1 



M m = 



1 

3 2 



1 (2m + 1) (2m + l) 2 



in which the rows and columns are indexed by 0, . 
equivalent over Ij to a matrix of the form 



(2m + l) r 
. , m. The matrix M m is row 



Pm — 



1 * 

2 




2™to! 



where the * 's represent integers (whose values are irrelevant for our purposes), and 
the only type of row reduction used is the one in which an integer multiple of a row 
is added to another row. 

Proof. We will prove, by induction on to, that 

(i) every vector r ijTO = (1, 2i + l, . . . , (2i + l) m ), i > m + 1, is a linear combination 
of the rows 0, . . . , m in M m , 

(ii) the matrix R m can be obtained by row reduction of the indicated type from 
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(iii) assuming n, m = a r , m H h a m r m , m in (i), 

r, )TO +i - (a r ^ m+ i H h a rn r m . m+ i) = (0, 0, . . . , 0, Si), 

where s TO +i = 2 m+1 (m + 1)! and Si is divisible by 2 m+1 (m + 1)! if i > m + 2. 

The claims (i),(ii),(iii) are clear for m — and assume they are valid for some 
m > 0. We proceed to the inductive step. 

(i) Consider the vector r i>m+ i = (1, 2i + 1, . . . , (2i + l) m+1 ), i > m + 2. From 
the inductive assumption (iii), 

n, m +i - (aon),m+i H 1- a m r m , m+ i) = (0, 0, . . . , 0, s^) 

and 

r m +i, m +i - (ao r o,m+i H h a^r m , m+ i) = (0, 0, . . . , 0, 2 m+1 (m + 1)!). 

Since 2 m+1 (m + 1)! divides we see that r im+ i can be indeed written as a linear 
combination of the rows 0, . . . , m + 1 in M m+ i. 

(ii) Since, from inductive assumption (iii), 

r m +i,m+i - {a' r , m +i H h am^m^m.m+i) = (0, 0, . . . , 0, 2 m+1 (m + 1)!). 

we see that M m+ \ is row equivalent to a matrix -ff^+i m which the bottom row is 
(0,0,...,0,2 m+1 (m + l)!) and the upper left block of size (m+l)x (m + 1) is M m . 
The inductive assumption (ii) shows that R' m+ i is row equivalent to R m+ \. 

(iii) Consider the matrix M m+ 2(*) obtained from M m+ \ by extending it by the 
column vector (1, 3 m+2 , . . . , (2m + 3) m+2 ) on the right and then by the row vector 
fi.m+2, i > m + 2, ed the bottom. The new matrix is the (m + 3) x (m + 3) 
Vandermonde matrix corresponding to the values 1, 3, 5, ... , 2m+3 and 2i+l. From 
parts (i) and (ii) of the inductive step that we just proved, we know that M m+ 2(*) 
is row equivalent to a matrix R m+ 2(i) in which the bottom row is (0, 0, ... , Si), for 
some integer Sj, and the upper left block of size (m + 2) x (m + 2) is i? TO +i. The 
determinant of the Vandermonde matrix M m+ 2{i) is equal to 

det(M m+2 (i)) =(3 - 1) • (5 - 3)(5 - 1) . . . ((2m + 3) - (2m + 1)) . . . ((2m + 3) - 1) 
((2i + 1) - (2m + 3)) . . . ((2i + 1) - 1) 
= det(M m+i ) • ((2* + 1) - (2m + 3)) . . . ((2i + 1) - 1). 

On the other hand, the row equivalence of M m+ 2{i) and R m +2(i) shows that 

det(M m+2 (i)) = dct(R m+2 (i)) = dct(R m+1 ) ■ Sj = det(M m+ i) • Sj. 

Since det(M m+ i) ^ we obtain that Sj = ((2i + 1) - (2m + 3)) . . . ((2i + 1) - 1). 

In case i = m + 2, s m+2 =2-4 (2(m + 2)) = 2 m+2 (rn + 2)!. If i > m + 3, 

then Si is a product of m + 2 consecutive even numbers and is therefore divisible 
by 2 m+2 (m + 2)!. The inductive claim (iii) now easily follows. □ 

Proof of Theorem^ uniqueness. Let p be a polynomial function in VJ- n . All re- 
duced polynomials inducing p are given by 

P(x) — a + a\x + ■ ■ ■ + ddX d , 

where d — d„, and the coefficients ao, ■ • ■ , an satisfy the linear system 

M d (a , ai , a d f = (p(l),p(3), . . . ,p(2d + 1)) T , 
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where (.) T stands for transposition. By Lemma[TJ this system is equivalent in Z2« 
to the upper triangular system 

R d (a ,ai,...,a d ) T = (b , b\, . . . , b d ) T , 

where bi are some elements in 7,2 n ■ Since odd numbers are units in 7,2 n this system 
is equivalent to a triangular system 



R d (a ,a 1 ,...,a d ) T = (b' , b[, . . . , b' d ), 



where 



(2) 



' 2 0+to „ 

2 1+u 











2 d + t d 



The last equation of this system now reads 2 d+td a d = b' d . Since < a d < 
2n-d-t d _ ^ e q ua tion can only have one solution in Z2™. We can substitute this 
solution in the second to last equation to obtain an equation 2 d ~ 1+td - 1 a d -i = b' d _^ 
which will also have a unique solution in Z2« since < a d -i < 2 n ~ d ~ 1 ~ td - 1 — 1. 

Continuing with the backward substitution in the triangular system with matrix 
R' d we obtain a unique solution for all the coefficients a d , a d -i, . . . , ao of P{x). □ 

Proposition 7. The number of polynomial functions in VT n is equal to the number 
of reduced polynomials in lZV n . 



Example 2. Let n = 4. In this case d = d^ - 
in VFa for which p(l) = 9, p(3) = 5 and p(h) 
unique reduced polynomial P{x) = ao + a±x - 



- 2. Let p be a polynomial function 
= 9. We are trying to determine the 
(Z22; 2 in TZVi that induces p. Note 



that the coefficients must satisfy the range conditions < ao < 15, < a\ < 7, and 
< a2 < 1 . The known values of p give the system 



"1 


1 


1 


9 


1 


3 


9 


5 


1 


■5 


9 


9. 


1 


1 


1 1 


9 





2 


8 1 


12 








8 1 


8 



which is row equivalent to 



The last equation 8a2 = 8, together with the condition < < 1, gives a-2 = 1. 
The second equation 2ai + 802 = 12, together with the conditions 02 = 1 and 
< a\ < 7, gives a\ = 2. Finally, the first equation ao + a\ + 02 = 9, together 
with the conditions a-i = 1, a\ = 2 and < ao < 15, gives ao = 6. Thus the unique 
reduced polynomial inducing p is P(x) = 6 + 2x + x 1 . 

Example 3. It is clear that one can uniquely determine the reduced polynomial 
R(x) that is functionally equivalent to Fix) from the value of p at any d n + 1 
consecutive values of x. 

On the other hand, not any d n + 1 values are sufficient. Indeed, let n — 4 and p 
be a polynomial function in VJ r 4 for which p(l) = 9, p(5) = 9 and p(9) = 9. We 
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are trying to determine a reduced polynomial R(x) = ciq + a\X + a 2 x 2 in IZV^ that 
induces p. The known values of p give the system 

"1 1 1 | 9" 

1 5 9 | 9 , 
1 9 1 I 9 

which, together with the range conditions < ao < 15, < a\ < 7, and < a% < 1, 
gives the following 4 solutions: R(x) — 9, R(x) = 6 + 2x + x 2 , R(x) = 5 + 4x, 
R(x) = 2 + 6x + x 2 . Note than one of these is the solution obtained in Example [5] 

Proof of Theorem^ necessity. Let P(x) and T(x) be two functionally equivalent 
polynomials. By Proposition[5j there exists polynomials Sp(x) and St(x) in I n such 
that P(x) — Sp(x) and T(x) — St{x) are reduced polynomials which are functionally 
equivalent to P(x) and T(x). Theorem [2] then shows that P(x) — Sp(x) — T(x) — 
St(x), implying that P{x) — T(x) = Sp(x) — St(x) G /„. □ 

Proposition 8. The set of polynomials in Z2« [x] that induce the constant func- 
tion on Q n is precisely the ideal In- 
Proof. We already know from Proposition 0] that the polynomials in /„ induce the 
constant function on Q n . Conversely, let P(x) induce the constant function 
on Q n . By Proposition [S] there exists a polynomial Sp(x) in /„ such that P(x) — 
Sp(x) is reduced and functionally equivalent to S(x). Since the zero polynomial is 
reduced, we must have P(x) — Sp(x) = 0, by the uniqueness property in Theorem[2] 
Therefore P{x) = S P (x) G I n . □ 



4. Permutational polynomial functions on Q n 

Some polynomial function on Q n are permutations on Q n - Denote the set of 
such (permutational) polynomial functions by WTn and the set of polynomials 
over Z inducing such functions by W n - 

Proposition 9. Let P(x) = a + aix + • • ■ + adX d be a polynomial in V n . Then 
P{x) is in W n (i- e - P( x ) induces a permutational polynomial function on Q n ) if 
and only if the sum of the odd indexed coefficients a\ + 03 + as + • ■ • is an odd 
number. 

Proof. Let a, b G Q n . We have 

p{a) - p(b) =a 1 (a-b) + a 2 (a 2 — b 2 ) H h a d (a d - b d ) = 

= (a - 6)(aiyli + 02^2 H h adAd), 

where A x = 1 and Ai = a^ 1 + a^ 2 b H h ab^ 2 + b i_1 , for i > 2. The number 

Ai is even if and only if i is even. Consequently, a\A\ + 02^2 + • • • + OdAd is odd 
if and only if a\ + a 3 + a 5 + • • • is odd number. 

Ifai+a 3 + a 5 H is even then (a — b){a\ A% +a 2 A 2 H ha^Ad) = (mod 2"), 

for a = 2™ _1 + 1, b = 1. Thus, for this choice of a and b, we have p(a) = p{b) and, 
therefore, p is not a permutation on Q n . 

Hai+as + a^-l is odd then (a — b)(a\Ai + a 2 A 2 H ha ( j J 4d) = (mod 2") 

if and only if a — b = (mod 2"), i.e., a — b in Q n - Thus p is a permutation in this 
case. □ 
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Since we have a bijective correspondence between reduced polynomials and poly- 
nomial functions, it is clear that we also have a bijective correspondence between 
the reduced polynomials in lZV n with odd sum of odd indexed coefficients and the 
permutational polynomial functions in VVJ- n - 

Proposition 10. The number of permutational polynomial functions in PPT n is 
equal to 

\VVT n \ = 2 {2n - dn){dn+1)/2 - 2 -^=° u 

Example 4. Reduced polynomials in lZP n of degree at most 3 that induce permu- 
tational polynomial functions in VVJ- n have the form ao + a\x + a-ix 1 + a^x 3 , where 
ai + a 3 is odd, a + a 2 is even, < a < 2"-l, < ai < 2 n - 1 -l, < a 2 < 2"" 3 -l, 
and < a 3 < 2™~ 4 - 1. 

Proposition 11. The inverse of a permutational polynomial function p G PPT n 
is also a polynomial function. 

Proof. If p G VT n is a permutation on Q„, then p £ a(Q n ), where a(Q n ) denotes 
the full permutation group of Q n . Let r be the order of p in a(Q n ). Thenp -1 =p r ~ l 
and therefore, if p is induced by the polynomial P{x), then p~ x is induced by the 
polynomial P(P(. . .P(x))). □ 

r-1 

Example 5. A linear permutational polynomial function p has a linear permuta- 
tional polynomial function as its inverse. Indeed, if p is induced by b + ax, then a 
must be odd, a -1 exists in andp -1 is induced by the polynomial — a~ 1 b+a~ 1 x. 

We can use the permutational polynomial functions on Q n to define permutations 
on Z 2 ™ (this will be useful in our last section). Denote by Q' n the set Z 2 n \ Q n 
(consisting of and all zero divisors in Z 2 "). We can easily conjugate the action 
of a polynomial function on Q n to an action on Q' n . Namely, given a polynomial 
function h : Q n — > Q n , define h' : Q' n — ► Q' n by h'{x) = h(x + 1) — 1. 

Given a permutation p G VTm we can define a permutation p on Z 2 ™ by 

(3) p(x) -- 

More generally, given permutations p,h G PF n , a permutation f Pt h on Z 2 ™ can be 
defined by 



(4) f P ,h = 

5. ON A RESULT OF RlVEST 

The main result of Rivest in [16] provides a criterion for a polynomial over Z to 
induce a permutation on Z 2 « . We infer now this result from our results. Note that 
our proof only relies on Proposition [2] and Proposition [9j both of which have short 
and rather elementary proofs. 

Theorem 3 (Rivest [H]). A polynomial P(x) = oq + a\x + ■ ■ ■ + adx d of degree 
d > 1 over Z induces a permutation on Z 2 ™ if and only if the following conditions 
are satisfied: 





12 



SMILE MARKOVSKI, DANILO GLIGOROSKI, AND ZORAN SUNIC 



(a) the sum 0,2 + 04 + ae + . . . is even 

(b) the sum 03 + 05 + a-i + . . . is even 

(c) a\ is odd 

Proof. If P(x) is a polynomial that permutes Z2» then all elements in Q' n = Z 2 ™ \ 
Q n are mapped to elements of Q' n or all of them are mapped to elements in Q n 
depending on the parity of ao. Let us first characterize those polynomials over Z 
that permute both Q n and Q' n . They are precisely the polynomials for which 

(i) ao is even 

(ii) the sum of all coefficients ao + a\ + ■ • • + is odd 

(iii) the sum of the odd index coefficients ai + 03 + • . . is odd 

(iv) the sum of the odd index coefficients in P(x + 1) — I is odd. 

The first condition ensures that Q' n is invariant, the second that Q n is invariant 
(Proposition [5]), the third that P(x) induces a permutation on Q n (Proposition \§§ 
and the last that P{x) induces a permutation on Q' n (by conjugating the action 
from Q' n to Q n we can again use Proposition [9]). Let S(x) — P(x + 1) — 1. The sum 
of odd index coefficients of S(x) is odd exactly when (S'(l) — S(— 1))/2 is odd. But 
(5(l)-5(-l))/2 = (P(2)-P(0))/2 = a 1 + 2a 2 + 2 2 a 3 + --- + 2 d - 1 a d , and therefore 
this condition is equivalent to a\ being odd. Therefore the conditions (i)-(iv) are 
equivalent to 

(F) ao is even 

(ii') the sum a 2 + + a$ + . . . is even 
(iii') the sum 03 + a$ + + . . . is even 
(iv') ai is odd. 

Thus, in order to characterize all polynomials that induce a permutation on Z2™ 
we just need to drop the condition that ao is even (which allows Q n and Q' n to be 
mapped to each other, when ao is odd). □ 

In fact, we may establish a precise connection between the (permutational) poly- 
nomial functions on Q n and those on Z2« . 

Proposition 12. Let n > 2. For every pair of polynomials functions p,h 6 VT n , 
there exists a polynomial function g on Z2™ , such that 

g{x) = fpA x ), 

for x in Z21 . 

Proof. Consider the polynomial 



x 2 , 


n 


> 4 


< x 4 , 


n 


= 3, 




n 


= 2. 



V (x) = < 

We claim that, for the associated polynomial function vq(x) on Z2«, 

v (x) 




The claim can be easily verified directly for n = 2,3. Assume n > 4. From 
Proposition [1] it follows that vq(x) = 1, for x 6 Q n . On the other hand, 2™~ 2 > n, 
for n > 4, which then implies that vq(x) = x 2 =0, for x £ Q' n . 
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Vi(x) = 



Let Vi (x) = 1 — Vo(x). For the associated polynomial function vi(x) we clearly 
have 

0, x e Q n , 

1, xeQ n . 

Therefore, if P(x) and H(x) are polynomial representing the polynomial functions 
p[x) and h{x) then the polynomial 

G{x) = P{x)V 1 (x) + H'(x)V {x), 

where ' H (x) = H(x + 1) — 1, induces the function f Pt h, showing that this function 
is a polynomial function on Z2™ . □ 

Corollary 2. Let n > 2. The number of permutational polynomial functions on 
is 

where ti is the largest integer I such that 2 e divides i\, and d n is the largest integer 
i such that n — i — ti is positive. 

Proof. Note that the correspondence that associates to each pair of permutational 
polynomial functions (p, h) on Q n the element f Pt h in the set of permutational 
polynomial functions on Z2« that keep both Q n and Q' n invariant is a bijection. 
Thus, the number of such permutational polynomial functions on Z2» is \WJ- n \ 2 - 
The number of permutational polynomial functions on Z2" is twice larger than this 
number since we need to take into account the polynomial functions that permute 
Q n and Q' n . Thus, the total number is 

2\PVJ 7 n \ 2 = 2( 2n - d ™)( !i »+ 1 )- 3 - 2 £&*o t \ □ 

It is interesting to compare the last corollary to earlier results counting permu- 
tational polynomial functions on Z2™. For instance, the following formula is proved 
in [9]. For n > 2, the number of permutational polynomial functions on Z2" is 
equal to 

(6) 2 3+ £?=3^, 

where f3j is the smallest integer s such that 2- 5 divides si. Combining this with our 
result yields the identity 

d n n 

Pj = ( 2n - d n){dn + 1) - 6, 

i=0 j=3 

for 11 > 2. We note that the number of permutational permutations given by the 
our formula (O in Corollary [2] seems easier to evaluate than by using ([6]) , since 
the summation goes to a smaller bound (d n rather than n) and the summands are 
easier to compute. 

6. MULTIPLICATION OPERATION ON REDUCED POLYNOMIALS 

Here we consider the multiplication operation on the set lZP n of reduced poly- 
nomials. 

We recall that HV n is the set of representatives of the congruences classes of V n 
modulo the functional equivalence relation w. In that sense, given P(x),S(x) G 
TZVn, we denote by P(x) ■ S(x) the corresponding reduced polynomial inducing the 
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same polynomial function as the product P(x)S(x) of the polynomials P(x) and 
S(x). The set V n forms a monoid under polynomial multiplication. Indeed, if the 
sum of the coefficient of both P(x) and S(x) is odd, then p(l) and s(l) are odd 
and therefore so is p(l)s(l), implying that the sum of the coefficients of P(x)S(x) 
is also odd. 

Theorem 4. The equivalence « is a congruence on V n - The factor (lZP n ,-) = 
Vnj ~ is a finite 2- group. 

Proof. Let P^x) w S % {x), for i = 1, 2, T P {x) = P l {x)P 2 {x), and T s {x) = S 1 (x)S 2 (x). 
Then t P (x) = p 1 (x)p2(x) = si(x)s 2 {x) = t s {x). Thus Pi{x)P-2,{x) as 5i(x)S , 2 (x) 
and « is a congruence on V. 

For every a £ Q n , we have a 2 =1 in Q„. Therefore, for any polynomial P(x) 
in Vn, the polynomial P{x) 2 is functionally equivalent to 1. Thus each reduced 
polynomial has a multiplicative inverse. □ 

In order to avoid confusion we denote inverses of polynomial functions under 
composition by (.) , and the inverse of a reduced polynomial P(x) under multi- 
plication by -p^y. 

The subset VTZV n of TZV n consisting of reduced polynomials that induce per- 
mutations on Q n is not closed under multiplication. Indeed, P(x) = 2 + x induces 
a permutation on Q n , while P(x) 2 = 4 + Ax + x 2 does not. 

Proposition 13. The set of reduced permutational polynomials VTZV n is closed 
under multiplicative inversion, i.e., P{x) £ VTZVn implies p^- } £ VTZV n . 

Proof. This directly follows from the fact that different elements in Q n have differ- 
ent multiplicative inverses. □ 

Example 6. We have ^ = 2 + x in KV 3 , = 3 + 3x + x 2 in TZVa, and 

31+2x+2£i; 2 +a;3+K 4 = 4 + 7x + 2x 2 in TIV 5 . 

We note that finding the inverse polynomial by using the equality -pj^j = 
P(x) 2 " 2 ~ 1 is not effective. We provide an effective method in the next section. 

7. Algorithmic aspects 

We briefly address the complexity issues related to interpolation of polynomial 
functions, inversion of permutational polynomial functions and multiplicative in- 
version of polynomials. 

Theorem 5. There exists an algorithm of polynomial complexity in n that, given 
the values p(l),p(3), . . . ,p(2d n + 1) of a polynomial function p in VT n , produces 
the unique reduced polynomial R(x) that induces p. 

Proof. Note that d n has a linear upper bound in n by Proposition [S] Running the 
row reduction on the (d n + 1) x (d n + 1) linear system as suggested in the uniqueness 
part of the proof of Theorem [5] takes polynomially many steps in terms of n. □ 

Theorem 6. There exists an algorithm of polynomial complexity in n + m that, 
given a polynomial P(x) £ V n of degree m (with coefficients reduced modulo 2 n , 
i.e., coefficients in the range between and 2™ — 1 inclusive), produces the unique 
reduced polynomial R(x) that is functionally equivalent to P{x). 
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Proof. By Theorem [5] it is sufficient to calculate p(l),p(3), . . . ,p(2d n + 1) in poly- 
nomially many steps in terms of n + m. This is possible since the degree of P(x) is 
m and the calculations are done modulo 2™. 

Another approach would be to use the reduction algorithm suggested in the proof 
of Proposition [5] and implemented in Example [TJ □ 

Theorem 7. There exists an algorithm of polynomial complexity in n + m that, 
given a polynomial P(x) in VV n of degree m (with coefficients reduced modulo 2 n ), 
produces the unique reduced polynomial inducing the inverse polynomial function 
p~\ 

Proof. First calculate p(l),p(3), . . . ,p(2d n + 1). Set up a system of linear equations 
to determine the coefficients of the reduced polynomial R(x) = oq + a±x + ■ ■ - + adX d 
that is functionally equivalent to p~ l , where d = d n . The system has the form 

p{lf 



P(l) 
P(3) 



1 



p(l) d 
p(3) d 

p(2d+l) d _ 
The crucial observation is that since, for 

= (a - b)k a . b , 





ao 




1 




Ol 




3 




_a d _ 




2d+ 1 



p(2d+l) p(2d+l) 2 .. 

We apply row reduction to this system 
every a,b € Q n , 

P(a) - P(b) 

where k a ^ is an odd number (see the proof of Proposition [9]) and odd numbers are 
units in Z2>» the row reduction will eventually lead to a system in which the matrix 
of the system has the form {2} . This system has unique solution that can be found 
by back substitution. □ 

Example 7. Let n = 4 and P(x) = 5 + x + x 2 . The polynomial P(x) induces 
a permutation p on Q4. We will find the unique reduced polynomial R(x) = 
ao + a\x + a2X 2 , with < ao < 15, < a\ < 7, and < a-i < 1, that induces the 
inverse permutation p~ x on Q n . 

We calculate p(l) = 7, p(3) = 1 and p(5) — 3. We then perform row reduction 
(over Zi6) on the system 



1 


7 


1 


1" 




"1 


7 


1 


1" 




"1 


7 


1 


1" 




"1 


7 


1 


1" 


1 


1 


1 


3 







10 





2 







2 





10 







2 





10 


1 


3 


9 


5 







12 


8 


4 







4 


8 


12 










8 


8 



where the third matrix is obtained from the second by re-scaling the second row 
by 13 = 5 _1 and the third row by 11 = 3 _1 . The last system is triangular and has 



unique solution 02 = 1 a\ = 5 and ao = 13. Thus R(x) = 13 + 5.x 
inverse polynomial function p~ l . 



induces the 



Theorem 8. There exists an algorithm of polynomial complexity in n + m that, 
given a polynomial P{x) G V n °f degree m (with coefficients reduced modulo 2 n ), 
produces the multiplicative inverse p^y in reduced form. 

Proof. To calculate the reduced polynomial S(x) = -p^y it suffices to calculate p(x) 
for x = 1,3,..., 2d„ + 1, then calculate the multiplicative inverses s(x) = j^y, for 
x = 1,3,..., 2d n + 1, and finally use Theorem [5] to find the coefficients of S(x). □ 
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8. Huge quasigroups defined by polynomial functions 

A fc-groupoid (fc > 1) is an algebra {Q, /) on a nonempty set Q as its universe 
and with one fc-ary operation / : Q k — > Q . 

Definition 3. A fc-groupoid (Q, /) is said to be a k-quasigroup if any k out of any 
k + 1 elements a±, a%, . . . , cik+i £ Q satisfying the equality 

f(a 1 ,a 2 , . . . , a k ) — a k +i 

uniquely determine the remaining one. 

A fc-groupoid is said to be a cancellative fc-groupoid if it satisfies the cancellation 
law 

f(ai, . . . , ai^i,x,a i+ i : ...,<!*.) = /(oi, . . . , a;_i, y, a i+1 , . . . ,a k ) x = y, 
for each i — 1, . . . , fc and all x, y, a\, . . . , tij— i, ai+i, • ■ • , a k in Q. 
For fc = 2 we obtain the standard notion of a quasigroup. 

The definition of a fc-quasigroup immediately implies the following. Let (Q, /) 
be a finite fc-quasigroup and let the map ip : Q — > Q be defined by f(x) = 
f(ax, . . . , Of-i, fli+i, . . . , afc), for some fixed ai, . . . , Oi-i, aj+i, . . . , in Q. Then 

is a permutation on Q. 

Here we consider only finite fc-quasigroups (Q,f), i.e., Q is a finite set, and in 
this case we have the following property f|12jV 

Proposition 14. The following statements are equivalent for a finite k-groupoid 
(Q,f): 

(a) (Q,f) is a k-quasigroup. 

(b) (Q,f) is a cancellative k-groupoid. 

Given a fc-quasigroup (Q,f) we can define fc new fc-ary operations fi, i = 
1,2,..., k, by 

fi(ai, . . . ,a k ) = b ^=^> f(ai, . . . , <ij_i, b,a l+ i, . . . , a k ) = a,. 

These operations are called adjoint operations of /. Then (Q, fi) are fc-quasigroups 
as well (0). 

Definition 4. A /iiige fc-quasigroup is said to be a fc-quasigroup (Q, /) such that 
all of the operations /, fi, fa, ■ ■ ■ , fk can be computed with complexity 0(log(|Q|) Q ) 
for some constant a. 

The problem of effective constructions of quasigroups of any order can be solved, 
for example, by using P. Hall's algorithm for choosing different representatives for 
a family of sets. The algorithm is of complexity C(n 3 ), where n is the order of the 
quasigroup, and is not applicable for, let say, n — 2 16 . We will show here how the 
permutational polynomial functions from VT n can be used in order to construct 
families of huge quasigroups on the sets Q n and . 

Theorem 9. Letp\,pi, ■ ■ ■ ,Pk be permutations in WT n . Define a k-ary operation 
f on Q n by 

(7) /(ai,a 2 , ... ,a k ) = p x (ai)p 2 (a 2 ) ■■ -p k (a k ) (mod 2 n ). 

Then the k-groupoid (Q n , f) is a huge quasigroup. 
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Proof. Let r = 2 n . The permutations in VPT n are defined by polynomials P(x) 
of degree smaller than (log 2 r + 1 + Llog 2 (log 2 r)J)/2 (by Proposition [6]). Then 
the evaluation of P(x) modulo 2™ can be computed in polynomial complexity with 
respect to log 2 r. Consequently, the function / defined by ([7]) can be computed in 
polynomial complexity with respect to log 2 r. 

Consider now the adjoint operations /, of /. We have, for any a\, a 2 , . . . , a k , b £ 
Qn,' 

fi(ai,a 2 , ■ ■ ■ , at) = b •<=>■ 

f{ a ii ■ • ■ ; o,i-i,b, a i+ i, . . . , a k ) = flj 

Pi(ai) ■ ■ ■ Pi-i(ai-i)Pi{b)p i+1 a i+1 ■ ■ -p k (a k ) = a% 

pi{b) = (pi-i(cii-i)y 1 ■ ■ ■ (pi(ai)) _1 a l (p fe a J t) _1 • • • (p j+x (a i+ i)) _1 

5 = pr^CPt-iK-i)) -1 • • • {pi( a i)r la i(pka k y 1 ■ ■ ■ OmK+or 1 ) 

By using the Hensel lifting technique the inverse elements (Pj(aj)) -1 can be com- 
puted in polynomial complexity with respect to log 2 r (see Section^, and the same 
is true for the inverse permutation p~ by Theorem [7] □ 

Theorem 10. Let pi,P2, ■ ■ • ,Pk be permutations in VVT n . Define a k-ary opera- 
tion f on Z 2 n by 

(8) f(ai,a 2 , ■ ■ ■ ,a k ) = p\(a 1 ) + p 2 (a 2 ) H hPkfak) (mod 2"). 

where pi are defined by J3J). Then the k-groupoid (Q n , f) is a huge guasigroup. 

Proof. The proof is similar to the proof of Theorem [SJ We only need to note that 
the inverse permutation 



Pi 



_ \p i 1 (a), a £ Q n 

[pT 1 (a + 1)-1, aeQ' n 

can be computed in polynomially complexity with respect to log 2 r. □ 

Theorem 11. Let pi,p 2 , . . . ,p k and h\,h 2 , . . . ,h k be permutations inWT n . De- 
fine a k-ary operation f on 7L 2 n by 

(9) f(ai,a 2 ,...,a k ) = fp^h^ai) + f P2 j l2 (a 2 ) + h f Ph ,h k ( a k) (mod 2"). 

where f Pi .hi are defined by Q). Then the k-groupoid (Q n , f) is a huge quasigroup. 

We note that Rivest [16] gives a simple necessary and sufficient condition for a 
bivariate polynomial P(x,y) modulo 2™ to represent a quasigroup on Z 2 n, namely 
P(x,0), P(x,l), P(0,y) and P(l,y) should be univariate permutational polyno- 
mials on Z 2 n . This result is based on his main result in |16j (see Theorem [3] in 
Section [5]). 
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